December 10, 2024
SINGAPORE – Singaporean Melvin Chan’s recent holiday to Japan with his wife turned into a nightmare after he found their bank accounts blocked and credit cards cancelled by identity thieves who rang up the banks and pretended to be them.
Mr Chan, 35, and his wife were at the Tokyo DisneySea theme park on Oct 7 when they realised that none of their cards was working.
“DisneySea is a cashless attraction. Almost everything there requires you to pay with card – from restaurants to the express passes for the rides. I think maybe only the souvenir shops accepted cash payment,” said Mr Chan.
The couple spent three hours calling DBS Bank, UOB and OCBC Bank from the theme park – racking up $200 in roaming charges in the process – and would later find out that their cards had been cancelled by someone else who called the banks.
The person, who posed as Mr Chan, asked the banks to do so on the pretext that he had lost his belongings.
“We were shocked to find that all my credit cards were cancelled and our bank accounts were blocked. The bank officers told us that we would need to be back in Singapore to reinstate them,” said Mr Chan, who has reported the matter to the police.
“My wife is Thai… so we transferred money from her bank account in Thailand to my YouTrip travel card. She has limited funds in that account and we carried on the rest of the trip with limited funds.”
The police confirmed that the reports were made and are looking into the matter.
Mr Chan added that he did not lose any money from his accounts when this happened. But this incident surfaced as banks face increasing pressure to safeguard customer funds from scams and fraud.
Figures from the police show that scam victims in Singapore lost $385.6 million in the first six months of 2024, with a record 26,587 cases logged during that period.
UOB and OCBC told The Straits Times that safeguarding the funds in their customers’ accounts is their top priority and that card blocking and cancellation are important anti-fraud measures.
Mr Chan said the two banks cancelled his cards after receiving calls from someone who claimed to be him. The caller had apparently passed identity verification requests after a few failed attempts.
Mr Chan said he is upset with the banks for not attempting to contact him when the caller initially failed the verification questions.
When asked about what had happened, a UOB spokesman said the bank prioritises the “swift securing of the customer’s account” against any unauthorised access.
“Callers are required to provide personal details of the card holders such as their NRIC number, card and account details. This approach is in line with industry standards,” he said.
Acknowledging the inconvenience faced by Mr Chan, an OCBC spokesman said the bank will continue to enhance its processes “to strike the right balance between security and convenience for (its) customers”, and expressed readiness to assist in police investigations.
As for DBS, the bank said it received a similar request to block Mr Chan’s cards and “immediately acted to prioritise his account and card security by following (its) protocol for card blocking”.
For DBS, callers need only to provide an account holder’s full name and phone or NRIC number for cards to be blocked.
Mr Chan said he urged the bank to introduce stronger safeguards, such as requiring a one-time password (OTP) before blocking accounts.
DBS confirmed that its customer service team helped Mr Chan by implementing an additional security alert on his profile, and ensuring all further instructions concerning his account and cards are undertaken only via calls verified with an additional SMS OTP.
Mr Chan said his wife faced an issue accessing her DBS savings account online.
“When my wife tried to log in to DBS iBanking from Tokyo, there was a message telling her to (contact) the call centre for assistance. Until today, I have not heard from the bank how this could have happened,” said Mr Chan.
“My wife and I are victims of an impersonation attack and the caller’s intention was to block our access to our finances and disrupt our holiday.”
The ordeal has taught Mr Chan that the banks’ thresholds for identity verification can be quite low, which, he points out, creates potential loopholes. Some banks even allow a third party, such as a family member, to make cancellations.
“As long as someone has your full name and phone number, the person can call the bank to block your credit card,” he said.
He added that the banks have so far declined to give him details on what verification questions were posed to the impersonator, meaning he has been unable to take any immediate steps to safeguard his data.
As for who has been impersonating him, Mr Chan suspects the caller is someone his wife knows from work. The person had apparently also called up the gym frequented by the couple and tried to transfer their memberships to another branch.
“We were able to trace the caller’s number through the gym and found it was linked to this person my wife knows from work,” said Mr Chan.
Lawyer Sunil Sudheesan, head of the criminal law department at Quahe Woo & Palmer, warned that the low thresholds for verification – where banks accept requests with minimal details such as a full name and NRIC number, and third-party cancellations – can create an opportunity for people with bad intentions to exploit.
“The threshold as it stands is necessarily low given the spectrum of consumers out there. However, some level of verification with card holders would be ideal,” said Mr Sudheesan.
“I support a callback verification mechanism, but freeze accounts in the meantime as opposed to immediately cancelling them at face value when a third party calls.”
He added that impersonation could constitute an offence under the Penal Code if a person is found to be cheating by pretending to be another person. The offence carries a penalty of up to five years’ jail, a fine, or both.